This is an Ubuntu 20.04 machine running a version of Dolibarr which is vulnerable to PHP injection (CVE-2023-30253). This is exploited to get an initial foothold as user www-data, then we find a credential to move laterally to a low-privileged user and retrieve the user flag. Regarding escalation, we abuse a vulnerable installed Enlightenment version (CVE-2022-37706).
> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-30 07:23 EDT
Nmap scan report for 10.10.11.11
Host is up, received user-set (0.037s latency).
Not shown: 63419 closed tcp ports (conn-refused), 2114 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Nmap done: 1 IP address (1 host up) scanned in 13.56 seconds
Enumerate the open ports.
> nmap $target -p22,80 -sV -sC -Pn -vv -n
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-30 07:37 EDT
Nmap scan report for 10.10.11.11
Host is up, received user-set (0.038s latency).
Scanned at 2024-08-30 07:37:19 EDT for 8s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 062d3b851059ff7366277f0eae03eaf4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH0dV4gtJNo8ixEEBDxhUId6Pc/8iNLX16+zpUCIgmxxl5TivDMLg2JvXorp4F2r8ci44CESUlnMHRSYNtlLttiIZHpTML7ktFHbNexvOAJqE1lIlQlGjWBU1hWq6Y6n1tuUANOd5U+Yc0/h53gKu5nXTQTy1c9CLbQfaYvFjnzrR3NQ6Hw7ih5u3mEjJngP+Sq+dpzUcnFe1BekvBPrxdAJwN6w+MSpGFyQSAkUthrOE4JRnpa6jSsTjXODDjioNkp2NLkKa73Yc2DHk3evNUXfa+P8oWFBk8ZXSHFyeOoNkcqkPCrkevB71NdFtn3Fd/Ar07co0ygw90Vb2q34cu1Jo/1oPV1UFsvcwaKJuxBKozH+VA0F9hyriPKjsvTRCbkFjweLxCib5phagHu6K5KEYC+VmWbCUnWyvYZauJ1/t5xQqqi9UWssRjbE1mI0Krq2Zb97qnONhzcclAPVpvEVdCCcl0rYZjQt6VI1PzHha56JepZCFCNvX3FVxYzEk=
| 256 5903dc52873a359934447433783135fb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK7G5PgPkbp1awVqM5uOpMJ/xVrNirmwIT21bMG/+jihUY8rOXxSbidRfC9KgvSDC4flMsPZUrWziSuBDJAra5g=
| 256 ab1338e43ee024b46938a9638238ddf4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILHj/lr3X40pR3k9+uYJk4oSjdULCK0DlOxbiL66ZRWg
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 8.63 seconds
Enumerate the web site with Firefox, take note of the domain name.
Click on "Websites" tab and then in "Add". Enter any name and click on "Create".
Next, add a new page, select "New page from scratch", enter any title and click on "Create".
Now we edit the page HTML source adding PHP code to send a reverse shell. This is normally blocked by the application, but the filter can be bypassed as indicated in the CVE details. Make sure "Show dynamic content" and "Edit inline" are activated so the PHP code is rendered after saving.
Add a PHP reverse shell, the filter is bypassed by replacing <?php with <?PHP as indicated in the aforementioned CVE.
Click on "Save", a reverse shell for user www-data is received on port 1919.
Shells for user www-data are limited; however, this user is usually allowed to read the /var/www/html directory, where we can harvest passwords.
According to the CVE description, the the system library function mishandles path names that begin with a /dev/.. sub string. There is an exploit available at https://www.exploit-db.com/exploits/51180 that you can execute it for instant root shell.
Or just try to understand what it does and run it manually. Basically, the vulnerable binary fails to handle a source file when the path begins with /dev/.. sub string. So if we inject a path called /dev/../tmp;/tmp/exploit, the application will fail to process the first part, and will just run the second part. We just need to make this second part is a malicious payload to spawn a shell.
